UPDATE: Private keys van hard- en softwareleverancier MSI gelekt | Nieuwsbericht

Leave a Comment / CTI / By

News item |: 10-05-2023 |: 4:45 p.m

On April 7, hardware and software provider MSI announced that it had fallen victim to a ransomware attack. Private keys, including Intel Boot Guard keys, were stolen. In this message, we provide an update on the incident and the potential impact on your organization.

Background:

  • Security company Binarly reports that MSI private keys were leaked as a result of a ransomware attack. These private keys are used to digitally sign the motherboard firmware and have Intel Boot Guard verify that firmware.
  • Intel Boot Guard verifies during the system boot process that the motherboard firmware is vendor-signed. The purpose of this is to prevent a malicious person from running the rogue firmware and thus gaining access to the system.
  • Leaked private keys disrupt the functionality of Intel Boot Guard because an attacker with access to a vulnerable system (local by default) can misuse the private keys to install and run malicious firmware. For example, an attacker gains access to data stored in the system or the gained access can be used to carry out further attacks.

Facts:

  • Inquiries with chip maker Intel indicate that the leaked Intel Boot Guard keys are owned by MSI itself and are used specifically for MSI systems. Key abuse is therefore limited to attacks on MSI-supplied systems and motherboards.
  • MSI motherboards may be included in other vendors’ products. Security company Binarly has published a (limited) list of potentially affected products. [1][2] This list is indicative and has not been verified by NCSC.

Commentary and action perspective

  • A successful exploit is technically complex and fundamentally requires local access to a vulnerable system. NCSC therefore considers the risk of abuse to be low. However, it is not inconceivable that leaked keys could be used in targeted attacks.
  • NCSC is not aware of any indications of misuse of the leaked keys.
  • Organizations using MSI systems or products listed by Binarly are advised to contact their supplier for further information and a course of action.
  • More technical information about this incident and an overview of the action can be found in security advisory NCSC-2023-0235 on the NCSC website.

NCSC is closely monitoring the situation in collaboration with partners. This page will be updated as more information or the prospect of further action becomes available.

[1] https://github.com/binarly-io/SupplyChainAttacks/blob/main/MSI/MsiImpactedDevices.md
[2] https://github.com/binarly-io/SupplyChainAttacks/blob/main/MSI/IntelOemKeyImpactedDevices.md

Source link

Leave a Comment

Your email address will not be published. Required fields are marked *